Verify that the Expiration Date is set for all Keys in RBAC Key Vaults

Framework Reference: A.8.24 Integration: Azure – Key Vault (RBAC-Enabled)

Why this matters:
Keys without expiration dates remain valid indefinitely, increasing the risk of outdated or compromised cryptographic material being used. Enforcing key expiration ensures regular rotation and deactivation of keys, supporting a secure and auditable key lifecycle aligned with compliance and cryptographic hygiene best practices.


What this check does:
This check verifies that all enabled keys in RBAC-enabled Azure Key Vaults have an expiration date configured.

Check Logic:

For each Key Vault with EnableRbacAuthorization = true:

All keys where attributes.enabled = true must have attributes.expires ≠ null

Where this is configured:
Azure Key Vault → Keys → Key Properties → Expiration Date field

How this check is executed:

Azure Portal:

  • Navigate to Key vaults
  • Select each vault, then go to Keys
  • For each enabled key, confirm an Expiration Date is set

Azure CLI:

az keyvault list
az keyvault key list --vault-name <VaultName> \
 --query "[*].{kid:kid, enabled:attributes.enabled, expires:attributes.expires}"
 

Verify that enabled = true always corresponds with a non-null expires value.

PowerShell:

Get-AzKeyVault
Get-AzKeyVault -VaultName <VaultName>
# Check if EnableRbacAuthorization = True

Get-AzKeyVaultKey -VaultName <VaultName>
# Inspect each key for: Enabled = True and Expires ≠ null


How to fix it:

Azure Portal:

  1. Go to Key vaults > select a vault
  2. Click Keys
  3. For each enabled key, click into the key version
  4. Under Attributes, set an Expiration Date
  5. Save the changes

Azure CLI:

az keyvault key set-attributes \  --name <keyName> \  --vault-name <vaultName> \  --expires <YYYY-MM-DDTHH:MM:SSZ>

Note: The "List" Key permission is required to view expiration dates. To update expiration dates, assign the Key Vault Crypto Officer role via IAM.

PowerShell:

Set-AzKeyVaultKeyAttribute `  -VaultName <VaultName> `  -Name <KeyName> `  -Expires (Get-Date).AddYears(1)


Exceptions:
None specified.


Further resources:

Was this article helpful?